Basic Information
Tool first release date
2013-04-15
Version release date
2019-09-04
Software cost
Free, Paid
Software license
Proprietary
Hosting
Self-Hosted
Supported operating systems
macOS, Linux, Windows
Tool website
Process Integration
Deployment model
Workstation, CI Server
Analysis inputs
Compilation along with all dependencies, Source code
SCM Integration
None
Display results in IDE
None
Live analysis & feedback while coding in IDE
None
Pre-commit invocation from workstation
CI Integration
Generic command line interface (CLI), Ant, Maven
Able to analyze incremental changes to code (commit, patch, pull request)
Can schedule scans
API method to report results in SARIF format
API method to report results in XML/JSON/CSV format
Coverage
Claimed CWE coverage notes
7 J2EE Misconfiguration: Missing Custom Error Page
16 Configuration
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
23 Relative Path Traversal
24 Path Traversal: '../filedir'
25 Path Traversal: '/../filedir'
26 Path Traversal: '/dir/../filename'
27 Path Traversal: 'dir/../../filename'
28 Path Traversal: '..\filedir'
29 Path Traversal: '\..\filename'
30 Path Traversal: '\dir\..\filename'
31 Path Traversal: 'dir\..\..\filename'
32 Path Traversal: '...' (Triple Dot)
33 Path Traversal: '....' (Multiple Dot)
34 Path Traversal: '....//'
35 Path Traversal: '.../...//'
36 Absolute Path Traversal
37 Path Traversal: '/absolute/pathname/here'
38 Path Traversal: '\absolute\pathname\here'
39 Path Traversal: 'C:dirname'
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
83 Improper Neutralization of Script in Attributes in a Web Page
84 Improper Neutralization of Encoded URI Schemes in a Web Page
85 Doubled Character XSS Manipulations
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
87 Improper Neutralization of Alternate XSS Syntax
88 Argument Injection or Modification
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
94 Improper Control of Generation of Code ('Code Injection')
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
111 Direct Use of Unsafe JNI
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
117 Improper Output Neutralization for Logs
250 Execution with Unnecessary Privileges
259 Use of Hard-coded Password
260 Password in Configuration File
295 Improper Certificate Validation
321 Use of Hard-coded Cryptographic Key
327 Use of a Broken or Risky Cryptographic Algorithm
328 Reversible One-Way Hash
329 Not Using a Random IV with CBC Mode
330 Use of Insufficiently Random Values
332 Insufficient Entropy in PRNG
337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
347 Improper Verification of Cryptographic Signature
350 Reliance on Reverse DNS Resolution for a Security-Critical Action
359 Exposure of Private Information ('Privacy Violation')
404 Improper Resource Shutdown or Release
425 Direct Request ('Forced Browsing')
434 Unrestricted Upload of File with Dangerous Type
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
494 Download of Code Without Integrity Check
497 Exposure of System Data to an Unauthorized Control Sphere
501 Trust Boundary Violation
502 Deserialization of Untrusted Data
555 J2EE Misconfiguration: Plaintext Password in Configuration File
601 URL Redirection to Untrusted Site ('Open Redirect')
611 Improper Restriction of XML External Entity Reference ('XXE')
613 Insufficient Session Expiration
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
759 Use of a One-Way Hash without a Salt
760 Use of a One-Way Hash with a Predictable Salt
772 Missing Release of Resource after Effective Lifetime
776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
780 Use of RSA Algorithm without OAEP
798 Use of Hard-coded Credentials
827 Improper Control of Document Type Definition
829 Inclusion of Functionality from Untrusted Control Sphere
1004 Sensitive Cookie Without 'HttpOnly' Flag
Supported programming languages
Java, JSP, Scala, XML
Claimed Weakness Coverage
Claimed Weakness Coverage information hasn't been collected yet for this analyzer.
Really want it? Let us know.
Really want it? Let us know.
Checker Customization
Can disable checkers
Can customize checker logic
First-class API to create new checkers
Speed & Scalability
Parallelizes on one host
Parallelizes across more than one host
Results Quality
Provides explanation of warning
Provides severity of warning
Provides confidence information about warning
Provides code context around warning
Provides control flow context for warning
Provides data flow context for warning
Provides code coverage information per checker
Reporting
Results suppression even after code changes
Show differences in results set to previous scan
Integration with external remediation bug tracker
Jira
Two-way data sync with external remediation bug tracker
Graphical user interface (GUI)
Ability to search results
Results remediation workflow
Hierarchical reporting for multiple projects, teams, departments, etc.
Filter results by compliance standard
CWE All, CWE/SANS Top 25 Most Dangerous Software Errors (2011), OWASP Top Ten (2013), OWASP Top Ten (2017)
Centralized reporting
Support
Installation guide or documentation
User/operator guide or documentation
Integration guide or API documentation
